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This listing of claims will replace all prior versions, and listings, of claims in 
the application: 

The Status of the Claims 

1 . (Currently Amended) A method of securely configuring a first 
machine in a pre-operating system environment, the method comprising: 

detecting a message; 

determining an operating mode of the first m achine: 

providing an attestatio n while the first machine is operating in 
the pre-operating system environment for use by a second machine to 
determine whether to send a configuration update to the first machine; 

performing a shared secret key exchange; 

receiving a r eceiving the configuration update when the second 
machine determines that Hie attestation is authentic; and 

updating a machine configuration in a pre-operating system 

environment 

2. (Currently Amended) A method as defined in claim 1 , wherein 
the message is sent #6ffl-a -from a second machine. 

3 . (Currently Amended) A method as defined in claim 1 , wherein 
the operating mode of the first machine comprises at least one of an 1T- 
managed machine aad-a -or a consumer machine. 
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4. (Currently Amended) A method as defined in claim 1 , wherein 
the attestation comprises at least one of machine identity information aad-ora 
pseudo-anonymous authentication. 

5. (Original) A method as defined in claim 4, wherein the pseudo- 
anonymous authentication is provided by a trusted platform module. 

6. (Currently Amended) A method as defined in claim 4, wherein 
the machine identity information comprises at least one of a serial number, a 
network name, and-a- or a cryptographic representation of hardware registers. 

7. (Original) A method as defined in claim 4, wherein the pseudo- 
anonymous authentication comprises an Attestation Identity Key. 

8. (Original) A method as defined in claim 1, wherein updating 
the machine configuration in a pre-operating system environment is adapted to 
operate in an OS-transparent operating mode with networking support. 
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9. (Currently Amended) A method of securely configuring 
conveying a configuration update to a client machine operating in a pre- 
operating system environment, the method comprising: 

sending a message to the client machine to determine whether 
the client machine supports receiving configuration updates from a remote 
source while the client machine is operating in the pre-operating system 
environment; 

determining an operating mode of the client machine; 
receiving an attestatio n from the client machine: 
verifying the attestation; 
performing a shared secret key exchange; and 
sending a configuration update to the client machine in a pre- 
operating system environment. 

10. (Currently Amended) A method as defined in claim 9, wherein 
the message is te-a sent to the client machine. 

1 1 . (Currently Amended) A method as defined in claim 9, wherein 
the operating mode of the client machine comprises at least one of an IT- 
managed device aad-a or a p ersonal device. 

12. (Currently Amended) A method as defined in claim 9, wherein 
the attestation comprises at least one of client machine identity information 
aad-a or a p seudo-anonymous authentication. 
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13. (Currently Amended) A method as defined in claim 12, 
wherein the client machine identity information comprises at least one of a 
serial number, a network name, aed-a or a cryptographic representation of 
hardware registers. 

14. (Original) A method as defined in claim 12, wherein the 
pseudo-anonymous authentication comprises an Attestation Identity Key. 

15. (Original) A method as defined in claim 9, wherein the 
attestation is verified by a misted third party. 

1 6. (Currently Amended) A method as defined in claim 9, wherein 
the configuration comprises at least one of a firmware setting, a BIOS setting, 
aad-a or a m achine setting. 

17. (Original) A method as defined in claim 16, wherein the 
configuration update comprises an encrypted configuration update. 

18. (Original) A method as defined in claim 9, wherein sending the 
configuration update to the client machine in a pre-operating system 
environment is adapted to operate in an OS -transparent operating mode with 
networking support. 
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19. (Currently Amended) An apparatus to securely configure a 
client machine in a pre-operating system environment, the apparatus 



a client machine comprising: 

a first m essaging module configured to detect messages 

and send messages; 

an operating mode; 

a trusted platform module configured to provide an 
attestation while the client machine is operating in the pre-operating system 
environment for use by a server machine to determine whether to send a client 
configuration update to the client machine; 

a first k ey exchange module configured to perform a 
shared secret key exchange; and 

a configuration module configured to update the client's 
configuration in a pre-operating system environment; and 
a -se rv e r -the server m achine comprising; 

a second an-messaging module configured to send 
messages and receive messages for use in sending a message to the client 
machine to determine whether the client machine supports receiving 
configuration updates from the server machine while the client machine is 
operating in the pre-operating system environment; 

a second k ey exchange module configured to perform a 
shared secret key exchange after an attestation has been verified; and 

an update module configured to g e n e rat e a generate the 
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client configuration update. 

20. (Currently Amended) An apparatus as defined in claim 19, 
wherein the client machine's operating mode comprises at least one of an IT- 
managed machine and-a -or a consumer machine. 

21 . (Currently Amended) An apparatus as defined in claim 1 9, 
wherein the trusted platform module is configured to use at least one of a 
pseudo-anonymous authentication and-or machine identity information. 

22. (Currently Amended) An apparatus as defined in claim 1 9, 
wherein the configuration module is configured to update at least one of a 
firmware setting, a BIOS setting, and-a-or a m achine setting. 

23. (Original) An apparatus as defined in claim 19, wherein the 
configuration module is adapted to update the client's configuration in an OS- 
transparent operating mode with networking support. 



24. (Currently Amended) An apparatus as defined in claim 19, 
wherein the update module is configured to generate at least one of a firmware 
update, a BIOS update, and-a -or a m achine setting update. 
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25. (Original) An apparatus as defined in claim 19, wherein the 
server machine further comprises an encryption module configured to encrypt 
the client configuration update. 

26. (Currently Amended) A machine readable medium having 
instructions stored thereon that, when executed, cause a machine to: 

detect a message; 

determine an operating mode of the machine; 

provide an attestatio n while the machine is operating in a pre- 
operating system environment for use by a server to determine whether to send 
a configuration update to the machine: 

perform a shared secret key exchange; 

receive a r eceive the c onfiguration update when the server 
determines that the attestation is authentic; and 

update a machine configuration m-a -in the p re-operating system 

environment. 

27. (Currently Amended) A machine readable medium as defined 
in claim 26, having instructions stored thereon that, when executed, cause the 
machine to receive the message from a s e we r the server . 
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28. (Currently Amended) A machine readable medium as defined 
in claim 26, having instructions stored thereon that, when executed, cause the 
machine to update at least one of a firmware setting, a BIOS setting, and a or a 
machine setting. 

29. (Currently Amended) A machine readable medium having 
instructions stored thereon that, when executed, cause a first machine to: 

send a message to a client machine to determine whether the 
client machine supports receiving configuration updates from a remote source 
while the client machine is operating in a pre-operatine system environment; 

determine an operating mode of a second; 

receive an attestatio n from the client machine: 

verify the attestation; 

perform a shared secret key exchange; and 
send a configuration update to the client machine m-a in the 
pre-operating system environment. 

30. (Original) A machine readable medium as defined in claim 29, 
having instructions stored thereon that, when executed, cause the first machine 
to send the message via a network connection. 

3 1 . (Original) A machine readable medium as defined in claim 29, 
having instructions stored thereon that, when executed, cause the first machine 
to query a trusted third party to verify the attestation. 
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32. (Original) A machine readable medium as defined in claim 29, 
having instructions stored thereon that, when executed, cause the first machine 
to encrypt the configuration update. 



